DEV Community

loading...
Cover image for Do you use Magic links?

Do you use Magic links?

madza profile image Madza ・1 min read

Magic links are passwordless auth methods, that generate unique access links. These are usually valid for a short period of time and normally sent to the email you provide in the login step.

Personally, I'm not a huge fan, and I prefer to login with social accounts, as it's way easier than opening an email each time.

What is your experience with these? Do you use them?

Discussion (26)

pic
Editor guide
Collapse
idarek profile image
Dariusz Więckiewicz

And here is a problem. Who you trust more? Your email provider or social company? I would not trust for example Facebook in way to use them to log-in into any website. Still, password and 2FA is way better.

Collapse
aslasn profile image
Ande

I think using a provider that already has hardened security is still a nice way to login. Honestly, they dont gain much about you other than the fact you use the service X. Their wide spread trackers all around the web does most of the work.

I wish more people cared tho.

Collapse
pke profile image
Philipp Kursawe

It's not about trust only. If the email provider scans your emails and executes your login links you will instantly see that when you want to use the link. It has been used.

Your inbox is your single point of failure. So it needs your strongest password. Its your only fallback when you forget passwords to other sites and get "reset" links.

I say: when you implement "reset" links you can also support just magic links.

Collapse
madza profile image
Madza Author

Good point on security 🔐😉

Collapse
akashkava profile image
Akash Kava • Edited

Recently we switched away from social accounts (as Google started asking too many questions regarding who are our users and what do they use our app for etc.), we generate a unique login link and send it to user's email address. They can login by clicking the link.

And yes, users love it, remembering/resetting password is a mess, especially when dealing with non technical users. Users still have option for using password, but they often use signin with email.

Collapse
jesusthehun profile image
Jesus The Hun

Hi, do you have any stats to share ? What % of your users are using it ? What's your customer segments in term of age ? What industry ? And no, I'm not the police :D

Collapse
madza profile image
Madza Author

That's exactly what the post's about. Can you elaborate a bit on whether or not your users like it better this way? 👀

Collapse
akashkava profile image
Akash Kava

Users like it, specially when they are not very tech savvy.

Thread Thread
madza profile image
Madza Author

Great if it works for you and your clients 😉👍

Collapse
jonlauridsen profile image
Jon Lauridsen

I'd say I don't like them, because logging in with a unique id+password is 100% effortless with a password manager, whereas magic links require opening my email which is annoying because it takes time, it's guilt-inducing when there are emails I should be responding to, and it's a context switch because all these other parts of my life appears and suddenly I'm off doing 4 other things and I never did get around to using your service.

Email-notifications for unexpected logins are a fine way to include the email factor without being too intrusive IMO.

Does passwordless auth solve any fundamental security issues?

Collapse
pke profile image
Philipp Kursawe

How is opening your email program and instantly seeing the magic link email any slower than remembering your many social media logins (when they are not cached you are back to remember logins and passwords). When you forgot your social media password and/or haven't logged in on the device you need to reset your password. Then you have to check your email at least once to actually reset the password and then you have to update all your other devices with this new password.

passwordless ftw

You only have to remember one password: that of your inbox.

You can always add another factor like WebAuthn or OTP

Collapse
tfantina profile image
Travis Fantina

I'm setting up a site right now that will use magic links, the reasoning is a low barrier to entry. My site has an inviting service where users can invite other users, I wanted an invited user to just click an invite link and immediately have access to the site. That sort of thinking just carried over to the whole app and I just got rid of passwords in general.

There is still a remember me option when generating the email token.

Collapse
ben profile image
Ben Halpern

I'm enjoying reading the answers here. Considering the possible use of magic links as a Forem feature (in addition to other forms of auth) with some reservations about how to best approach ideas like this from UX and security perspectives.

Collapse
stremovsky profile image
Yuli

I spend a lot of time researching this subject and created my own implementation that is using Databunker secure session store:

github.com/securitybunker/databunk...

My implementation of passwordless login with magic link

You can use my example and adjust it for your needs. It is a stand-alone solution. You do not need to pay for any 3rd party service. Here is a link:

github.com/securitybunker/databunk...

Collapse
cdavid15 profile image
Craig Davidson

To be honest I hate them. I have seen them more on training course providers recently and the issue I have is these are allocated to my work email address which I don’t have access to our of work. This is a huge pain as it means I can’t actually do any of the courses in my own time so it is actually a restriction in my view.

Collapse
technoglot profile image
Amelia Vieira Rosado

I don't hate them nor love them. I think I have used them once or twice. 🤔 If anything, I typically use social accounts to log into certain sites.

Collapse
madza profile image
Madza Author

Same here, although I agree with @idarek 's point 😉

Collapse
technoglot profile image
Amelia Vieira Rosado

Same, but who uses Facebook anyway? 😂 (I know some still do, I just don't want that garbage in my life. Whoops, I said it)

Thread Thread
madza profile image
Madza Author

Yeah, probably one of the best decisions I made like 5 years ago 😉

Thread Thread
technoglot profile image
Amelia Vieira Rosado

Hahahah, same. Don't wanna get Zuck'd! 🤣

Thread Thread
madza profile image
Madza Author

Hahahah, good one 😀😀

Collapse
huzaifa99 profile image
Huzaifa Rasheed

I have used them on different sites but not implemented them on my own, TBH I didn't know they were called magic links till now. 👍

Collapse
madza profile image
Madza Author • Edited

Also, magic.link is a great and easy to set up solution if you ever come across the need to use them in your own projects 😉

Collapse
marcellothearcane profile image
marcellothearcane

They're okay, until you want to log in to a site on your work computer and the link is sent to a personal email which is on another device.

Collapse
sdifiore profile image
Sergio Di Fiore

I offer both possibilities to my customers and et then decide what they prefer in their website or app...

Collapse
rakeshkumar124 profile image
rakeshkumar124

Really it was very useful content to basic learners and i hope your posts like more this ....Thanks for share with us.. ghdsports.fun/